[Feature Request] Add OTP SMS authentication #179
Comments
|
Very interested in that. That similar to this implementation?: https://github.com/aws-samples/amazon-cognito-passwordless-email-auth But using dynamodb again, like magic links, for rate limiting? Implementing OTP is easier than magic link because you don't have to deal with the link being opened in a different browser. On the other hand, I'd like to include the option to send the OTP using either email or SMS, depending on the user's choice at the time of signing in. |
I would say that is closer to the magic link implementation. I have copied most of the code from it. The idea is the same.
Yes.
It is doable. I can adjust. What to you think of this proposal?
For (1) does Cognito provides a "guest" session that I can use? Thanks. |
|
Not sure what you mean with guest session. You shouldn't need it I think ? Maybe we should implement this as 2 separate flows. Email OTP and SMS OTP. Even though they share a lot of code, may be beneficial for implementation simplicity to keep it separate |
I mean is there a way I can guarantee that given an authentication flow X that called the define authentication challenge requesting an OTP code, only X can use the OTP?
Agree. |
That's what Cognito takes care of for you (it's tied to the session, which is the very long string Cognito returns to you in custom auth calls, that you must provide back again in respondtoauthchallenge) |
I have a fully working SMS OTP authentication patch. Would it be accepted or SMS OTP authentication is too insecure to be merged in this project?
It is basically a copy of magic-link implementation but without using KMS to generate and validate the OTP codes. From a security perspective I was thinking in storing some validation in to compensate:
amazon-cognito-passwordless-auth/cdk/custom-auth/magic-link.ts
Lines 138 to 140 in 5bfdab2
This way the only one who could use the OTP is the one who requested it.
The text was updated successfully, but these errors were encountered: